HIMSS 2010 Security Survey Findings Highlight Efforts to Secure Electronic Patient Data and Comply with HIPAA Security Rule

Bob Belfort, Manatt Phelps & Phillips, LLP

Each year, the Healthcare Information and Management Systems Society (HIMSS) reports on U.S. health care providers’ efforts to secure electronic patient data. The 2010 Security Survey [pdf], which was released in November, features responses from 272 information technology and security professionals who answered questions about their organizations’ readiness to meet today’s security challenges.

Given Project HealthDesign project teams’ uncertainty about how to ensure compliance with many of the HIPAA Security Rule’s requirements when communicating with patients through mobile devices, I’d like to highlight a few findings from the HIMSS survey, which shows that many health care providers continue to struggle with Security Rule compliance:

• The HIPAA Security Rule requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of Electronic Protected Health Information held by the Covered Entity.” However, only three-quarters of all respondents reported that they have performed a risk assessment.
• Only half of respondents reported they have either a Chief Security Officer or a full-time staff member in place to handle their organization’s security function.
• At present, on a scale of one to seven, where one is not at all mature and seven is very mature, respondents rated the maturity of their security systems at an average of 4.43.
• Only slightly more than half of respondents reported that they provide information electronically stored by their organization in an electronic format to patients. Among respondents who reported that they make information available electronically to patients, the most frequently selected means of sharing this data is via a CD-ROM. Forty-three percent of respondents shared information via a web portal, while others reported sharing it through e-mails, USB thumb drives and PHRs offered by a third party.
• Mobile device encryption was one of the technologies most frequently identified for future consideration.

To me, these findings show that our project teams are not alone in struggling with how to safeguard their patients’ health information while still providing them with innovative new communication tools that facilitate better medical care. In addition, the resources necessary to develop creative security solutions may often be unavailable. And we all know that when you introduce mobile devices and other innovative ways of communicating with patients into the mix, securing patient data and complying with the HIPAA Security Rule only becomes more complicated.

As more and more mobile health care applications become available to patients, and as patients’ demands for electronic communications with physicians  grow, Project HealthDesign’s contribution to the discussion about how to ensure HIPAA compliance in this new world could not come at a more opportune time. My colleagues and I look forward to discussing this issue with you in our January webinar.

View the HIMSS 2010 Security Survey [pdf].

Health Reform and Health IT: Where Are They Headed?

By Deven McGraw, Director, Health Privacy Project, Center for Democracy & Technology

The November elections are largely behind us, but speculation about what the elections could mean for the future of national health reform is mounting. A number of successful candidates promised to repeal health reform, and many pundits see health reform as vulnerable to at least some revision by the new Congress.

No one has a crystal ball, but understanding the recent history of health reform can help us put these conversations in perspective.

The Obama administration’s health reform efforts were enacted in two parts – not all in one contentious health reform bill. The first phase of health reform was passed quickly as part of the economic stimulus bill enacted in February 2009.The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, invested $20 billion in incentives to encourage doctors and hospitals to use health IT for the electronic exchange of patient health information in order to improve individual and population health. This incentive program will begin in 2011, and preparations to implement the program began shortly after the legislation was enacted. Several critical changes to our nation’s health data privacy and security laws critical to building the public’s trust in health IT were also included.

Electronic medical records and increased sharing of electronic health information among health care providers and between providers and patients was seen as key to improving health care quality and increasing efficiency. Although there was some debate about the details of the program, support for health IT and its important role in reforming the health care system was broad and bipartisan. When then-Senators Barack Obama and John McCain were campaigning for the presidency, both expressed support for health IT as a critical component of health reform.

The second phase of health reform was the Affordable Care Act, which was enacted in March 2010. The more controversial aspects of health reform, including a mandate that individuals must purchase insurance coverage, were part of this bill. When political pundits talk about potential threats to health reform in the new Congress, they are most likely referring to provisions in the Affordable Care Act.

We do not presently know whether provisions of the Affordable Care Act, which is the second component of health reform, will be repealed or modified. Bipartisan support for health IT, however, still appears strong. Because lawmakers may still revise how the health IT money is spent or how the privacy and security provisions are to be implemented, some uncertainty remains. Even so, the whole of health care reform is not necessarily in jeopardy.

Pooling Intellects to Achieve Better Health IT Legal Policy

By Deven McGraw, Director, Health Privacy Project, Center for Democracy & Technology

Read all Manatt and CDT blog posts

 The most recent Project HealthDesign grantee meeting at the Vanderbilt Center for Better Health included a session on cross-cutting legal and policy issues.  The purpose of the session was primarily to seek input on legal issues – both real and perceived – that are confronting grantees in moving forward with their projects.  But grantees dug deeper and also teed up issues that, if not resolved by policymakers, are likely to create obstacles to more widespread adoption of care models that leverage technology to bridge the information gap between clinical care teams and patients to achieve better health outcomes.

Grantees brainstormed issues arising in three categories:  provider liability concerns, assuring the security of information transmitted between portable devices and other computer systems, and the lack of privacy protections for many types of personal health records.  The Manatt-CDT team will use this input to develop materials that recommend potential solutions to some of the more critical policy challenges.

Although we are still digesting these materials, I came away with these initial impressions:

• These open policy issues are clearly very important to grantees.  When we asked for feedback in the session, the response was almost overwhelming.
• Some issues showed up in more than one category, which of course underscores their cross-cutting nature and suggests a high degree of interdependency:  resolving concerns in one area can help us alleviate issues in another.  For example, if we had privacy and security provisions that covered health information regardless of who holds it, we would have less need to focus on whether information shared with a patient by mobile phone is or isn’t “PHI”.
• Some of the concerns raised in the legal/policy issues discussion were also raised in grantee discussions about the operational challenges for their projects.  For example, grantees discussed the challenge of getting the clinicians or care teams to incorporate patient data into their records and workflow.  This operational challenge is closely related to the legal challenge of providers’ concern about liability for responding to patient-generated data.  A thoughtful solution involving careful management of expectations of both patients and providers/care teams should help address concerns in both areas.
• A number of the concerns raised by grantees targeted clear gaps or uncertainties in the law – for example, what protections are available for data entered by patients onto social networking sites or what are entities’ specific responsibilities with respect to the security of mobile devices used by providers to communicate with patients.  Further efforts by the Manatt-CDT team will likely focus on these gaps and suggest potential solutions for further consideration by the public, industry stakeholders, and policymakers.
• Grantees also raised some issues that are fairly well covered by existing state and/or federal law, but different interpretations of the law, or risk averse behavior on the part of health care organizations and institutions, leads to uncertainty and an unwillingness to take action or experiment with different care models.  Cutting through these “interpretation” challenges is probably the most difficult hurdle of all.

Watch video of the brainstorming sessions: 

1. Portable Device Security
   
2. Personal Health Record Security
3. Provider Liability Concerns

Preparing to Dive into Cross-Cutting Policy Issues at the September Grantee Workshop A Call for Input

By Deven McGraw, Director, Health Privacy Project, Center for Democracy & Technology

Read all Manatt and CDT blog posts

As part of our role as regulatory/assurance consultants to Project HealthDesign, my Manatt colleagues and I are looking to identify “cross-cutting policy issues” that are either currently impacting your use of observations of daily living (ODLs) to enhance patient care, or that may create obstacles to more widespread use of ODLs.  

To date, the Manatt-CDT team has focused on the privacy and security legal issues affecting the structure and implementation of each grantee’s project.  For this next phase, we want to take it up a notch and think about issues beyond just the application of HIPAA and state health privacy laws. Based on our experience in working with the grantees, as well as conversations with the Project HealthDesign National Program Office, we have created an initial list of cross-cutting policy issues that we want to discuss during our the upcoming retreat (September 8-9) in Nashville.  The list includes:

• Provider liability concerns, including those related to reliance on inaccurate or incomplete data (stemming from ODLs or otherwise) and potential malpractice liability for not accessing or using information generated by patients.
• Assuring the security of information transmitted between portable devices and other computer systems, including use of text messages by providers to communicate with patients.
• The lack of privacy and security protections for many types of Personal Health Records (e.g., those not created on behalf of a HIPAA Covered Entity) and for models of collecting ODLs that may leverage social networking websites.

Our goal is to develop strategies to prevent these issues from impeding wider adoption of ODLs into clinical practice by providers throughout the country.  But before we take another step in our preparation for Nashville, we want to make sure that this list is the right list – that these are the policy issues that are “keeping you up at night,” (or at least nagging in the back of your mind).  Please jump in with comments below - feel free to send us your laundry list of favorite policy concerns.  We look forward to seeing you in Nashville.

HHS issues a plethora of important Health IT and privacy regulations

By Deven McGraw, Director, Health Privacy Project,Center for Democracy & Technology.

There have been some important developments this month related to the federal government’s efforts to encourage the adoption of electronic health records by providers (largely physicians and hospitals) and the use of those records to improve individual and population health.  Our first take on these long awaited rules is below.

Meaningful Use Criteria
On July 13, HHS released the final rules setting the requirements that providers must meet in order to be “meaningfully using” certified EHRs, which is the trigger for eligibility for federal Medicare and/or Medicaid subsidies beginning in 2011.  One rule establishes the requirements for meaningful use; another sets the criteria EHR technology must meet in order to certified. 

To engage patients in their health care, the criteria require providers to provide patients with electronic copies of their health information, upon request, within three business days.  Physicians also must provide patients with clinical summaries within three business days of an office visit.  The meaningful use criteria do not yet address the inclusion of patient-generated data like observations of daily living into EHRs – but discussions are underway to possibly include this in later stages of meaningful use (2013 and 2015).

Proposed Privacy and Security Regulation Changes to HIPAA
On July 14, the Department of Health and Human Services (HHS) published proposed regulations to implement changes to the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  Members of the public can submit comments on the regulations from now through September 13, 2010. A summary of the proposed HIPAA modifications has been prepared by Manatt.

The proposed rule includes provisions that further bolster a patient’s right to receive copies of his or her health information. For example, it clarifies an individual’s right to request and receive a readable, electronic copy of his or her health information when the information is kept by the provider in electronic form.  The proposed rule also provides some additional details on an individual’s right to have that electronic copy sent directly to another individual or entity, such as a personal health record (PHR). But, it does not require that the electronic copy be computable; it also does not require providers to have an interface with every PHR on the market (so it may not always be possible for patients to have their information sent directly to the PHR of their choice).  However, this provision is viewed by many as an important first step to achieving more robust exchange of computable data between patients and their providers, and the hope (and expectation) is that the EHR and PHR marketplace will respond to this new opportunity.

But perhaps of more interest to users of PHRs is what was not in the proposed HIPAA rules: clarity on when PHRs are covered by HIPAA.  HITECH and the proposed rule state that a PHR is only covered by HIPAA if it is offered to individuals “on behalf of a covered entity.” (In such a case, the PHR is a “business associate” of the covered entity.)  The proposed rule unfortunately provides no guidance as to when a PHR is offered “on behalf of” a physician or hospital, and when it is offered independently.  This distinction is critical, as those PHRs that are covered by HIPAA are potentially permitted by law to access, use and disclose an individual’s health information without necessarily getting the individual’s consent .

A representative from the HHS Office of Civil Rights (OCR), which wrote the proposed rule and is tasked with enforcing it, recently clarified in a public forum that mere existence of a contract or interface between the PHR and the covered entity does not mean that the PHR is being offered “on behalf of a covered entity.”  Instead, OCR would look at the facts and circumstances of the arrangement between the PHR and the covered entity to determine whether or not the PHR was being offered to patients independently or on the covered entity’s behalf.  This confirms the approach used by the consultancy team at Manatt when they were analyzing the use of PHRs in Project HealthDesign and concluded that the PHRs were not covered by HIPAA.  CDT intends to submit comments to the proposed rule to urge OCR to issue more official guidance setting forth the factors it will use to analyze PHR/covered entity arrangements to provide more clarity to consumers, providers, and companies offering PHRs.

An Example of Our Regulatory/Assurance Function in Action

By Bob Belfort, Manatt Phelps & Phillips, LLP.

Over the past few weeks, my Manatt colleagues and I have met by phone with each of the Project HealthDesign grantees to review how existing state and federal laws governing the privacy and security of health information impact their projects, and what steps they should take to ensure compliance with those laws.

We talked about things like minimizing security risks associated with loss or theft of, or improper access to, portable devices and ensuring transmission security of information between portable devices and other computer systems. These requirements generally stem from the HIPAA Security Rule, which requires covered entities to employ administrative, physical, and technical safeguards to protect the confidentiality and integrity of protected health information maintained or transmitted electronically. 

To Encrypt or Not to Encrypt:  Text Message Transmission Security
We had a very interesting discussion with one grantee about health care providers’ use of text messages to send reminders and alerts to patients participating in their project.  It highlights the type of judgment calls that are often necessary when interpreting one’s responsibilities under HIPAA and state privacy laws.

Under the HIPAA Security Rule, a covered entity has discretion to adopt security measures within specified categories based on the entity’s size, complexity, capabilities and resources.  In addition, while certain security measures are required, others are “addressable,” which means that a covered entity has the flexibility, through a formal security risk analysis, to assess whether the measure is “reasonable and appropriate” in its particular environment and, if not, to adopt an alternative reasonable and appropriate measure.

As many of you know, there are obstacles to encrypting text messages.  Because the security measure that protected health information sent over an electronic communications network be encrypted is an “addressable” one under the HIPAA Security Rule, we engaged in a mini risk analysis during our call, weighing the risks of sending certain types of information through unencrypted text messages and considering how best to mitigate these risks.  One mitigation strategy we discussed was limiting the nature of the information transmitted. We talked through the risks associated with texting “Don’t forget to take your medication today” as compared to “You forgot to take your Lipitor today,” and discussed a variety of other potential scenarios.

The bottom line is that there is simply no bright line to guide a grantee’s decision whether to encrypt or not to encrypt, and, if not to encrypt, what types of alternative measures to adopt to ensure the security of the information being sent via text.  For example, while limiting text messages to “pointers” (e.g. “Check the Carrot.com for a note from your health coach.”) is probably the most conservative way to minimize the risk of unauthorized access to protected health information or other information sent via text, it may not be the most effective way to motivate patients to take control of their health.

This is one of the reasons we at Manatt and our partner Deven McGraw at the Center for Democracy and Technology are here:  to talk these types of questions through with grantees and assist in finding solutions that minimize legal risks but also work in practice.  We’ll be addressing these types of risks during standing monthly calls. We’re looking forward to some interesting conversations.

Translating Lessons Learned from Grantees into Meaningful Use

By Deven McGraw, Director, Health Privacy Project,Center for Democracy & Technology.

Sometimes the work of federal policymakers in Washington seems far away from the daily reality of trying to improve the health of individuals with chronic conditions. But as health IT incentives move forward at a rapid pace there has never been a better time to educate policymakers about our work.

As Project HealthDesign grantees demonstrate how technology can be leveraged to improve health, I am working with the legal and regulatory team at Manatt Phelps & Phillips, LLP to help bring their experiences into HITECH/ARRA implementation policy discussions.

In order for health care providers and hospitals to be eligible for health IT incentive payments under HITECH/ARRA, they need to adopt – and “meaningfully use” electronic health records to improve individual and population health across a number of domains. Unsurprisingly, domains include public health as well as care management and coordination among providers, but engaging patients and their families is also a criteria.

For those of us who believe in Project HealthDesign, the initial patient engagement meaningful use criteria are a good first step toward greater patient empowerment – but more work needs to be done. Thankfully there are opportunities this year and next to build on this foundation and set meaningful use criteria for the later stages of the incentive program that could move the needle even further on patient empowerment. For example, future meaningful use criteria could include providing patients with information in computable form (so it can be more easily incorporated into PHRs and smartphone applications) and incorporating “patient-generated” information (such as ODLs) into providers’ electronic health records. 

Project HealthDesign has already begun to take advantage of these opportunities and we look forward to working on bringing the vision of Project HealthDesign to more patients, their families, and their care providers. 

Tackling Legal and Policy Issues Associated with ODLs Integration

By Bob Belfort, Manatt Phelps & Phillips, LLP

Integrating observations of daily living with clinical practice workflow raises a number of legal and policy issues. Manatt, along with Deven McGraw at the Center for Democracy and Technology, is excited to be serving as legal and regulatory compliance consultants for Project HealthDesign to help navigate these challenges. The lessons we learn from analyzing these and other issues will help to inform the ever-evolving federal and state policy landscape governing exchange of ODLs and other information through PHRs. We will be identifying, collaboratively, a series of policy issues - and potentially crafting solutions to those issues - that will help to ensure more robust integration of patient-generated data into clinical workflow in the future. 

Our analysis is currently focusing on:

Privacy and Security
In Project HealthDesign, ODLs are flowing from the patient through portable electronic devices to data repositories maintained by research institutions or PHR vendors such as Microsoft or Google. Providers are then accessing the ODLs in these repositories in different ways. In addition, the reliance by many of the projects on portable devices maintained by patients means paying special attention to minimizing security risks in environments that are outside of the researchers’ control, an area most health care providers have not previously confronted. 

To address these and other privacy and security issues, we will be evaluating the implications of existing state and federal laws governing the privacy of health information. Some of the key legal issues applicable to the grantees’ research studies include:

• Ensuring patient authorization forms satisfy HIPAA and the patchwork of state laws.
• Minimizing security risks associated with loss or theft of, or improper access to, portable devices.
• Properly verifying subject identity.
• Ensuring transmission security of information between portable devices and other computer systems.
• Facilitating compliance with potential mandatory reporting obligations triggered by receipt of ODLs.

Concerns beyond Legal Compliance
Our obligation, however, goes beyond pure legal analysis. It includes providing policy advice even when there is no specifically applicable law. For example, it may be prudent to apply the same security standards to unregulated data that are applied to data that is subject to HIPAA. After all, in the event of a security breach, it is unlikely that the lead paragraph of the news story will be that the HIPAA security rule was inapplicable.

Risk Management
We will also be providing guidance on the risk management issues faced by providers in using ODLs.  Providers are concerned about an implied obligation to review ODLs that might be available to them. What if they overlook something critical? Can they rely on this type of information to make treatment decisions?  This is a new issue for providers, where standards of care are still evolving.

As we work through these issues we’ll be writing monthly blog posts. In the meantime, if there are any legal or regulatory concerns nagging at you, please comment below so we can have a look!